OnionScan: This programme can tell if your secret Dark Web site is truly anonymous

A researcher has developed a tool that spots vulnerabilities that might leak the identities and locations of people who run hidden websites on the Dark Web Getty

Users who host websites on the Dark Web can now check to see if their website contains any vulnerabilities that might inadvertently expose their locations and identities, using a new tool developed by an independent security researcher.

Sarah Jamie Lewis has developed an open source programme called OnionScan that can tell site administrators whether there are any mistakes in setting up websites on the Dark Web which could potentially expose the administrator, such as metadata in files uploaded to the website, or an open server status page that leaks the web server's real IP address, or images posted to the website that contain GPS coordinates of where they were taken.

There are a multitude of people who need to stay anonymous online, ranging from people who run whistle-blowing platforms, to criminals. The Dark Web is a section of the internet not discoverable by conventional means, such as through a Google search or by directly entering a website URL.

As the websites are hidden, they are perfect for cybercriminals, who list thousands of goods and services for sale on secret underground marketplaces, including narcotics, chemicals, firearms and counterfeit goods, in addition to adverts for services such as hacking, gambling and sports betting.

Many people who access websites on the Dark Web also use the Tor network (named after The Onion Router project) to disguise web traffic to and from the sites, so that authorities, spy agencies and other interested parties cannot tell who has accessed the secret websites any more than they can discover where their servers are located.

Much better security practices needed

"I want anonymity tools to be the best; there are people whose lives depend on them," Lewis told Motherboard Vice. "While doing some research earlier this year I kept coming across the same issues in hidden services — exposed Apache status pages, images not stripped of exif data, pages revealing information about the tools used to build it with, etc. The goal is [to] provide an easy way of testing these things to drive up the security bar."

Lewis analysed multiple websites located on the Dark Web, and found that many of them fail to have basic security practices in place, including the underground marketplaces, which would have the biggest reason to want to avoid being detected.

In June 2015, UK-based security researcher Thomas White, a Tor hidden server developer, discovered the IP addresses of two shady sites hidden on the Dark Web, namely Kiss Marketplace, a now-defunct site where users could buy and sell drugs, even though the website, and the IP address of Tor Carders Market V.2, which promotes stolen credit cards for sale.

White was also able to gather information on more than 500 other websites hidden on the Dark Web, which shows that Tor isn't enough to protect websites – site administrators need to improve their website security practices.